Protecting personal computers against a never-ending onslaught of “pestware” such as viruses, Trojan horses, spyware, adware, and downloaders on personal computers has become vitally important to computer users. Some pestware is merely annoying to the user or degrades system performance. Other pestware is highly malicious. Many computer users depend on anti-pestware software that attempts to detect and remove pestware automatically.
Anti-pestware software typically scans running processes in memory and files contained on storage devices such as disk drives, comparing them, at expected locations, against a set of “signatures” that identify specific, known types of pestware. Once found, the pestware can often be removed from the system. In some situations, however, merely detecting a particular pestware process and removing it from the system is insufficient. This can result where the pestware is made up of a primary part and a secondary (dependent) part. For example, the secondary part may be executed briefly at startup—just long enough to launch (or, if necessary, reinstall) the primary part. Consequently, a scan of executable memory is unlikely to detect the secondary part. If the secondary part reinstalls the primary part after the primary part has been detected and deleted, the original pestware infestation recurs.
This problem is worsened where the pestware conceals or “guises” the identity and location on the computer of the secondary part. For example, the pestware may alter the file name of the secondary part in a random fashion each time the pestware is executed. Using a conventional signatures-based approach to detect such a secondary pestware object is like trying to hit a moving target. As a result, conventional anti-pestware software may be ineffective in detecting and removing secondary or dependent pestware objects.
It is thus apparent that there is a need in the art for an improved method and system for detecting dependent pestware objects on a computer.